Websites or influencers telling you that using a VPN is the solution to all your privacy concerns are making a false statement. Not only aren't they tech experts, in most cases they act as affiliates and their promotion of VPN services should be viewed as an advertisement. When clicking on their link to a VPN provider or by using their coupon code, they get a provision for referring you to the provider as a new client. They get paid when you subscribe through their channels. So there is a conflict of interest you should be aware of. The VPN providers pay thousands of bucks for advertisements on the channels of influencers and content creators. They also pay webmasters provisions to endorse their services.
Using a reliable VPN in the best case scenario protects your real IP Address from getting leaked to other computers (servers) on the web by channeling your traffic through other network relays. By doing so, the computer/website you connect to sees the ip address of the exit node belonging to the VPN network you use. A reliable VPN provider as well protects you from dns leaks. It also protects your ISP from logging which websites you browse in particular. What your ISP provider sees is that you are connecting to a VPN network but the ISP is not able to view the content that gets routed through the encrypted Virtual Private Network.
Keep you from being tracked by big tech and webgiants or state authorities
Your computer has a unique fingerprint. You can find out about this yourself by visiting Browser Leaks. There are many identifiers that are used for fingerprinting. To name a few: Canvas, WebGL, WebRTC, fonts installed on your system, usage of browser add-ons, content filters (like adblockers), server side abilities (HTTP requests and such). A lot of the fingerprinting abilities only work when JavaScript is enabled on the client side (Your browser or application). A lot of websites use JS to gather information about your system. For example your monitor resolution, hardware that is in use, the fonts that are installed on your system etc. Then there are cookies as well and the Ad-Id.
Why this should be of a concern to you?
While a single website may fingerprint your browser or place a cookie on your computer, it could only track what you are doing on this site in particular or any other site controlled by the same owner (this is a simplified explanation). But now take the webgiants into account. Millions if not billions of websites make use of the services provided by Google and Co. As an example, when you are logging-in to your account at canva.com or suno.ai, there is a script being loaded in the background which consults google servers. In fact connections to google.com and gstatic.com are being made and a captcha is loaded. The websites are using this kind of service to prevent bots from accessing their network / log in section. When the captcha isn't solved, you can't login as the data you entered into the log in credentials form doesn't trigger the log in procedure on the servers of the website you are trying to log in to.
But now Google knows that you (they are monitoring you throughout the web) potentially have an account at canva.com or suno.com. At least they know, that you are trying to log in there. These services do place a cookie on your computer to track you but it doesn't end here. By using fingerprinting techniques, they not only identify you as a non-bot user but they also might tie your information to all the other information they have about your computer / you. They are able to interconnect your usage of different websites and on different platforms as well. Googles documentation on ReCaptcha is vague and evasive regarding what data gets collected IMHO. In fact the "ReCaptcha system is heavily obfuscated, as Google implemented a whole VM in JavaScript with a specific bytecode language" [²]. I'm pretty sure that they take the username / e-mail address entered into the form into account. That they are able to do this when a JavaScript is run by your browser is out of question, see this quote.
All it takes is visiting a "compromised" website that makes use of the captcha or another service that makes network connections to google or any other service provider of a centralized web service. The least they can see and log, is that your ip address has connected to the website that loads the script from a third party server. By visiting multiple sites in a row with the same ip-adress, even when there is no JavaScript fingerprinting or cookie placement involved (which isn't the case for most service providers as they have to fight bot traffic and spam constantly) they can log which websites you have visited as long as the script gets loaded. You can disable JavaScript at all or disallow to run / load scripts from 3rd party domains to prevent this and make use of more anti-measures that I will mention below in the text.
But even then, as long as a google font or an image hosted on a third party server (think of the meta tracking pixel and such) is loaded, they can monitor which sites you frequent and tie it to your ip address. Even when there is no JavaScript involved.
And it doesn't stop there.
It's not only Google that provides centralized services that many websites rely on and that may help them to identify and track you across the web. There are many third party scripts and/or resources that webmasters make use of unknowingly about the dangers involved. Most big websites use one or more of the services mentioned below combined. A lot of smaller websites do it as well. Even some indie web and old web enthusiast sites make use of Google Fonts or Cloudflare or any other service mentioned. Not all of these services come with the same privacy concerns attached and not all of these are known to track users. But in general they all could (and probably do):
"Any script included into a page can read all cookies for which the httpOnly attribute is not set. Access restrictions for scripts are not determined based on the domain the script was loaded from but only in which page it is loaded into. This means all scripts loaded into a page have the same access and control over this page, no matter what the origin of the script was. Regarding cookies this means that you need to protect any sensitive cookies like session IDs with httpOnly if you have included third party scripts which are outside your control and trust into your page.Steffen Ulrich (on StackExchange)
But including such scripts into a page working with sensitive data is a bad idea anyway, since such scripts can not only read cookies (unless httpOnly) but also extract information from forms (like login credentials) or change the client side application logic. [...] Note that these statements apply only to third party script which is directly included into the main page. If the script is instead, only inside a third party iframe inside the main page it can neither read cookies on the main page nor access or modify the DOM on it.
"Any site you pull a script from can completely control the user's experience on your site. If Google were feeling evil they could put something in their copy of jQuery to log your key presses, steal personal information from the page you're on to tie into their web tracking database, make you post “I love Google!” comments to every form, and so on. Google probably aren't actually going to do that, but it's a factor that's out of your control, and certainly something to worry about with other script-hosting services. There have been incidents before where stats scripts have been compromised with malware loaders."bobince (on StackExchange)
3rd party scripts which are in use by a lot of websites
Regarding the risks involved by implementing 3rd party scripts or resources, a webmaster should rely on self-hosting scripts and resources as far as possible. I have to work on this myself and maybe this will be the final nail in the coffin of neocities for me, as neocities doesn't allow me to self-host all the things I want on my homepage.
But wait, there is more to it
Your devices are given a unique id by their operating system. Your webbrowser and/or operating system as well might have a unique id tied to it. Commonly referred to as The Advertising ID (Ad-Id).
"Apple calls their advertising ID the "Identifier for Advertisers" (IDFA). Google calls their implementation "Google Advertising ID" (GAID) and formerly "Android ID", "Android Device ID", or "Android Advertising ID" (AAID). Microsoft uses a similar technology, also called Advertising ID, that is generated for each device and user. In Windows 10 & 11, it can be turned off in the settings panel."Wikipedia
How can you mitigate being tracked across the web
I don't know it for sure. IMHO there isn't a 100% and foolproof way to stop being tracked.
I'm not sure about this myself and maybe I don't have to. I'm just a regular everyday normal guy and being tracked across the internet has become my reality. I don't do any p2p sharing, I don't even download warez anymore since way more than a decade now. Instead, I only make use of open source software or pay for proprietary software from a developer that I think is worth supporting. But the information I provide on this page may be of interest to people who are into piracy, or who really should have privacy concerns out of other reasons (Journalists, Lawyers, Psychiatrists, many people not only have to care about their privacy but also the privacy of other people related to them).
In general, everybody should have at least some privacy concerns as a lot of what is happening in our lifes nowadays takes place online in some form or another and people should be in charge which information they share with the public.
There are measures you can take to prevent most of the tracking but I'm no expert in this field. So do your own due diligence and listen to experts who speak truth (that aren't on the payroll of big tech companies). Some people on the internet seem to defend big tech and surveillance in general. Some of these may as well be bots filling up security related discussions with information that suits "their" agenda. I've seen many discussions on the web where some users (may they are of human nature or a bot) downplay the risks involved and what big tech and state authorities can or cannot do.
Bad actors can track and monitor your traffic. State surveillance is real and I'm glad to live in some kind of democracy at least. But it's not only China, Russia or North Korea, the mullah regime in Iran or the Saudis you should be afraid of. The freedom of speech is under attack, even in many western democracies. State surveillance is at an all-time high and it will only increase IMHO. I don't want to live in a world, where having a different opinion on something puts you in the crosshair of state actors. One day they will be able to cut you off from being able to pay (centralized digital currency), buy train tickets, take a flight or attend at an event.
This is dystopian stuff. But after reality has become hard to distinguish from satire in the past few years, dystopia doesn't seem that far away anymore. It seems, we are getting there.
We have to fight for our privacy rights.
We have to fight for the freedom of speech,
the freedom of minds and thoughts.
Because thats all there is, all we have. The freedom of our mind.
May all of us live in peace
2025, From Tuffy with ❤️
This isn't a definitive list and it is incomplete. If you have any suggestion regarding anti-measures that I should add, drop me note at my comment-box on my main page.
You have to decide yourself which browser you want to trust and what or if the usage of a VPN is necessary to you. As I already said, I don't go that route personally. I only use parts of the anti-measures I have mentioned above, mainly for convenience and I'm by no means an expert on this, as have mentioned before already. So take my view on this whole subject with a grain of salt and as what it is, the subjective view of a regular internet user.
IMHO you can't. You would have to stop using digital communication at all or use custom hardware and highly end-to-end encrypted communication channels. You would have to trash your smartphone, tablet etc. and even unsolder the microphones in your tv, disable all Bluetooth and WLAN chips in your electronics and appliances. Drive a very old car and even all of this combined doesn't cut it. There already is too much surveillance taking place. Think of license plate scanners, face recognition software and cameras being everywhere, the alexa at your friends house, their fridge with a built in microphone connected to the internet...
We already live under heavy surveillance. Maybe this is a good thing. Maybe it is not. I'm somewhat glad that our authorities protect us from terrorists and criminals who lost their moral compass. On the other hand, the freedom of speech is of high value. So is the freedom of the mind.
"If you trade in your freedom for security, you will end up without either having one of them"
This is my quote and there have been more famous and well versed people using the same analogy put in different words. You all know the original quote and the surrounding controversy around it? If not, google search for it.
The best we can do is to make use of our voting rights and pray that all the power the digital structure holds in itself won't fall into the hands of really unscrupulous regimes. It bears my mind to imagine what Hitler, Stalin, Mao or [insert bad dictator or regime here] would have achieved with the digital structure we have in place nowadays and what would have been the final outcome. Can you imagine Hitler being talked down by an AI Chatbot?
What will the future bring? Go and ask ChatGPT.
I'm out!
Peace my mates!
Sources to check out:
(neuroradiology) Recaptcha Reverse Engineering - https://github.com/neuroradiology/InsideReCaptcha
(Steffen Ulrich) Ability to read front end input and cookies - https://security.stackexchange.com/questions/176545/can-advertisements-read-cookies-of-the-website-it-is-on
(bobince) Benefits and Pitfalls of hosting jQuery locally - https://stackoverflow.com/questions/3832446/benefits-vs-pitfalls-of-hosting-jquery-locally
(Wikipedia) Advertising ID- https://en.wikipedia.org/wiki/Advertising_ID